As an information security manager, you've very likely come to appreciate the benefits of Snort, the immensely popular open source network intrusion detection system. But you may have balked at implementing Snort-based network security monitoring because integrating and using Snort and complementary tools may be technically daunting, or require too much of your staff's time and energy to make it worth the effort.

Snort alone doesn't give you a complete network security monitoring tool, and integrating and using all the pieces you need may be frustrating. The popular BASE console, for example, is often used with Snort, but like all Web-based consoles, it lacks speed, doesn't provide real-time alerting and has limited analysis functionality.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This figure shows a simple architecture that matches what you'd be utilizing via the Knoppix-NSM LiveCD in its default configuration, as well as the NSM framework utilized by this distribution. Source: Intelguardians (http://www.intelguardians.com/snortguis.pdf)

Once you've booted from the Knoppix-NSM LiveCD, you can immediately start monitoring using the following command sequences:

From a root console, if you didn't assign a static IP at boot, execute pump –i eth0 to attain an address dynamically. For permanent installations, only a static IP is recommended.

From a root console (right click on the desktop) execute: /etc/init.d/mysql start to start the MySQL database /etc/init.d/apache2 start to start the Web server /etc/init.d/sguild start to start the Sguil server daemon sensor default start to start the Sguil sensor /etc/init.d/ntop.default start to start ntop if you wish to see traffic details. This step can cause performance issues from LiveCD, so use it with caution and stop it if need be.

From a non-root console execute: sguilc with squil as username, and password as password.

At this point, you have a Sguil analysis console at your disposal, as well as BASE and ntop from the Iceweasel browser bookmark toolbar.

--RUSS McREE

Versatile Tool Organizations already running IDS in some form can still put Knoppix-NSM to good use:

Quick deployment. Say you've been dispatched to a remote site to assess the security posture of a recent acquisition. It's doing the bare minimum, content to assume all is well because it has a firewall. With permission from management, and the cooperation of a network engineer, you boot up Knoppix-NSM and connect to a SPAN port on a core network switch. You quickly determine that all in fact is not well, and extensive remediation will be required before joining the acquired network to your well-protected, monitored and maintained existing network.

Instant console. Your Snort farm is well managed and performs its purpose, but you're in need of an additional console immediately. This is often useful to compare console attributes or provide additional perspective. Sguil in particular offers analysis functionality considered by many NSM practitioners to be superior to any other console.

Learning and testing. Knoppix-NSM is the ideal framework for teaching and testing. Perhaps your security operations staff is growing and you need to set up a classroom environment with minimal hardware and effort. Imagine an attack-and-defend approach where Knoppix-NSM is running on a central server. Half of your class is running a Sguil console via Knoppix-NSM, and the other half is attacking virtual victims. With the aid of virtual machines and a few surplus laptops/desktops, you can show your new junior analysts the benefits of a well-monitored network.

Knoppix-NSM is an extremely useful LiveCD and appears to have a bright future, as Securixlive.com's site says more analysis tools and a SIM/SEM tool are on the way in future releases, to be rechristened Securix-NSM.

E-Zine

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy